From owner-freebsd-questions@FreeBSD.ORG  Mon Aug 11 17:22:45 2003
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id ED7F237B401
	for <freebsd-questions@freebsd.org>;
	Mon, 11 Aug 2003 17:22:45 -0700 (PDT)
Received: from asarian-host.net (mail.asarian-host.net [194.109.160.70])
	by mx1.FreeBSD.org (Postfix) with ESMTP id AF82843F93
	for <freebsd-questions@freebsd.org>;
	Mon, 11 Aug 2003 17:22:44 -0700 (PDT)
	(envelope-from admin@asarian-host.net)
Comments: To protect the identity of the sender, certain header
	fields are either not shown, or masked. Anonymous email
	accounts can be requested by filling in the appropriate
	form at: https://asarian-host.net/cgi-bin/signup.cgi
Received: (from root@localhost)
	by mail.asarian-host.net (8.12.9/8.12.9) id h7C0MhWf058086
	for freebsd-questions@freebsd.org;
	Tue, 12 Aug 2003 02:22:43 +0200 (CEST)
	(envelope-from admin@asarian-host.net)
From: Mark <admin@asarian-host.net>
Message-Id: <200308120022.H7C0MGXS058078@asarian-host.net>
Date: Tue, 12 Aug 2003 00:22:43 GMT
X-Authenticated-Sender: admin@asarian-host.net
X-Trace: VujuqeW7RnpQSVOTgc13+eBXQteQcziNxmyHUyz0h4QgOiFmSJjZ7NggR+OeOUI8wnvuYdyLZmw2Of9rvyneFA==
X-Complaints-To: abuse@asarian-host.net
X-Abuse-Info: Please be sure to forward a copy of ALL headers
X-Abuse-Info: Otherwise we are unable to process your complaint
Organization: Asarian-host
To: <freebsd-questions@freebsd.org>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
X-Auth: Asarian-host PGP signature
	iQEVAwUAPzgzUzFqW1BleBN9AQGzmggAjqjOh5W4UOlPYzF+MPOUg2wSCdJaGM40
	BSTJyHtZGjgybE0M01HUHbWCOdKMGPo43EWnGkUmnQcZubCkVakFS8oAEQJeGG61
	dd1ZJ89W2EiBCeVMXqk86UfKD7MwE8QggVPJLjcF+9EqixOYA05xm6KpdC097KAk
	uJwdMWZyTwqj+9rujdTIOCHI1zstiHE9F/yb5Xgy1slOqbVScFnpAb4ujcxY4ZOk
	+rrSbqVMEKzXrXAGDkkLd2OH/uX3W85HzXsRUo5RFq8xHdYrnRKcqaqDQw3CdD8d
	RXow0TM71QDZzMRNsXUdKqE55Bl7kyspLFdUQHwZxKwYdzy77BH33w==
	=ItHq
Subject: Restricting ICMP
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>,
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Aug 2003 00:22:46 -0000

Hello,

Is there a way I can use ipfw to disallow ICMP from anyone, but root?
(FreeBSD 4.7R) I tried this:

${fwcmd} -q add 4 allow icmp from any to any icmptype 0,3,8,11 in via
${outside}
${fwcmd} -q add 4 allow icmp from any to any uid root
${fwcmd} -q add 4 deny log icmp from any to any

But that, obviously, does not do what I want it to, as it keeps denying
everything going out. It may not even be possible to restrict ICMP that way,
but it never hurts to ask. :)

Thanks.

- Mark